My infrastructure is including: External radius server (Microsoft Windows 2012R2 NPS) which is providing 802.1X authentication to my end wireless users and CWP wireless agreement, which the end users have to agree to in order to connect to the network.
I'd have to say I wish this was the setup but doesn't work correctly. Why?
Because in order to have an external radius server MS NPS I have to have a security certificate and the end user has to confirm the usage of the certificate during the authentication process, in order to be able to authenticate via 802.1X. This is MS requirement and I can't go around it because the tunnel has to be encrypted prior the handshaking for the AD credentials. Once the credentials being accepted the end user gets connected to the wireless network every time automatically without being prompted for credentials, unless they change their password. So far great.
When is prompted for credentials, CWP popup window appears and the end user can read and accept (or reject) the agreement and gets connected to the network. Perfect right?
Next time when the end user is around, gets connected to the wireless network automatically because already provided its credentials to the MS NPS. They are still verified but that's transparent to the end user. Well, CWP however has to be accepted again because this is how AeroHive programmed it, or at least I've being informed that way. Once the client hits the maximum "inactive client ageout" or disconnect from the network, it has to reconfirm the CWP. Since the end user already entered the 802.1X credentials in MS NPS it is not being asked and from the wireless point of view it has networking. The network indicator is "on" on the wireless device and the user cannot go anywhere because didn't accept CWP. CWP is not popping up because no credentials are being entered. The end user is thinking it has network but in reality has to sense that is not true somehow and if they are expecting any network related activity, they are out of luck. No email, calendar, or anything else network related will pop up because there is no network. If it is a cell phone, still will not show any new emails because by default any cell phone has a priority first to check for wifi and guess what, it is there but it is not working because of CWP.
My question is: How to make 802.1X authentication with my AD to work with CWP popping up every time when an end user needs to accept it? I can't ask the users to enter username and password every time because we have 16 character password policy and that's going to be very challenging and perhaps the idea is not to enter the password each time.
Thank you in advance and let me know if you have questions.
If you have known devices coming in to the network, you could try MAC auth, so the credentials are entered automatically for the end user, and they would still need to go through the CWP if they were no longer in the APs roaming caches (usually because they've been disconnected for long enough that the AP drops the clients information to save space). MAC auth requires that you know the MAC addresses of your clients ahead of time, their username and password in your AD would be the device MAC address, and when the client connects the device submits it's MAC address as the credentials without the user needing to do anything for that part. Would that work for you?
This guide will show you how to set up MAC auth in case you're interested: https://thehivecommunity.aerohive.com/s/article/MAC-Authentication-Set-Up
I don't know the devices coming in to the network. I don't have an issue with the credentials at all.
Contact Us:Sam PirokCommunity@extremenetworks.com